[Swan] Is it possible to apply a (private) policy to host-to-host vpn-cfg ?
Daniel Thielemann
luie at mailbox.org
Fri Apr 17 02:08:50 UTC 2020
Hi,
I would like to use different host-to-host vpns to "authenticate" the
hosts before they can communicate with each other and solved this with
RSASIG-Keys yet - works fine.
To secure it up completely I would like to ask if there is any way I
could apply a "private or drop/hold packet" policy to my vpn configs so
that packets are encrypted in ANY case before they leave the box? I used
the parameters already but the shunting/whack (don't know whats the
right name for it) policies didn't came up. I think because it just
works with "conn private" and %opportunisticgroup right? Is there any
other way to achieve this so that I can stick with my rsasigkeys?
Because I've different levels of security (roles) it would be great to
find a way, because then I really know which host can talk to whom.
Boxes running @ centOS 8 with libreswan 3.29-6.el8.
Config:
conn tun_ap01
leftid=@db01.mydom.lan
left=192.168.3.1
leftrsasigkey=<snip>
rightid=@ap01.mydom.lan
right=192.168.2.1
rightrsasigkey=<snip>
authby=rsasig
# use auto=start when done testing the tunnel
auto=start
encapsulation=yes
ikev2=insist
phase2=esp
narrowing=yes
negotiationshunt=hold
failureshunt=drop
keyingtries=%forever
retransmit-timeout=3s
Thanks in advance
Kind regards,
Daniel
More information about the Swan
mailing list